The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Second Exim running on port 587 - How to force authenticated SMTP only?

Discussion in 'E-mail Discussions' started by Quark, Sep 13, 2008.

  1. Quark

    Quark Member

    Joined:
    Nov 8, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    With the second instance of Exim running on port 587 - How would I modify the configuration in the Advanced Editor to allow authenticated SMTP only on that port? By default, port 587 accepts standard smtp as well as authenticated smtp...I'd like to make it so that standard smtp is not accepted on port 587.

    Hope that's clear. :) And look forward to any assistance people can offer!
     
  2. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    1) Disable any check boxes in WHM > Service Manager > that reference antirelayd

    2) Clear out any values in /etc/relayhosts and /etc/relayhostsusers (these are updated when POP-before-SMTP is active).

    3) Place a blank file called antirelayddisable in the /etc/ directory (depends on version of cPanel but don't think it can hurt).

    4) Restart Exim.
     
  3. Quark

    Quark Member

    Joined:
    Nov 8, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi Rick --

    Thank you for your suggestion.

    I tried that, but it still allows normal SMTP on port 587 without authentication (it supports authentication, too, but I don't want inbound mail to come via 587, only to allow users to send outbound mail via smtp auth)

    Any further thoughts?

    I'm running WHM 11.23.2 cPanel 11.23.6-S27225.

    My reasoning for this -- we have a Barracuda in front of all our mail servers and don't want spammers circumventing it by sending inbound mail directly via port 587 that we need open for users to smtp_auth. :)

    Thanks!

    ...Q
     
  4. Quark

    Quark Member

    Joined:
    Nov 8, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    [my post didn't pass a re-read sanity check! So I edited it out]

    Hope to still find a solution for port 587, though!
     
    #4 Quark, Sep 14, 2008
    Last edited: Sep 14, 2008
  5. Quark

    Quark Member

    Joined:
    Nov 8, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    OK -- I think I have a workable solution! :) Backup your configs before trying any of this if anyone else wants to try...

    Go to:
    Main >> Service Configuration >> Exim Configuration Editor

    Click on:
    Advanced Editor

    Scroll down to:
    begin acl

    There will be two textareas, look in the second text area and find:
    accept hosts = *
    authenticated = *

    Underneath these two lines add:

    Code:
    # Added to restrict 587 to smtp_auth only
    accept hosts = +auth_relay_hosts
    condition = ${if eq {$interface_port}{587} {yes}{no}}
    endpass
    message = relay not permitted, authentication required
    authenticated = *
    Scroll down and hit SAVE, it should save the config and restart Exim. I have tested it in my environment and it works for me. Port 25 still works as expected, but port 587 now REQUIRES smtp authentication. Mission accomplished for me.

    ** THIS WORKED FOR ME, if you try this and it works for you, please post in this thread. I don't want people trying this unless they are a) careful/knowledgeable or b) comfortable that this has worked for more than one person! :) **
     
  6. RickG

    RickG Well-Known Member

    Joined:
    Feb 28, 2005
    Messages:
    238
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    North Carolina
    Q: Have you made any changes to exim.conf, either directly or through the advanced editor prior to this?

    With antirelayd disabled and relayhostsusers and relayhosts empty (I would double check to make certain they stayed clear inbetween the time you restarted exim), you should not be able to send mail on 587 w/o authentication. I've double tested this on many systems ... and without checking "My outgoing mail server requires authentication" (or similar option, depending on mail client), I can't send mail through the server.

    You should not have to manually add the entries you posted into the advanced configuration editor (although glad they work). In the WHM, I would seriously consider going under Service Configuration -> Exim Configuration Editor -> and Reset ACL configs to their default settings and see how things work from there.
     
Loading...

Share This Page